Tiano Compression

Mar. 16, 2012

Implementing compression type 1 to j-bios (tiano compression). The files are not implemented in the main toolchain yet. Decompression has already been ported to python, if you want to have a look: tianodec.pyIt is quite slow (takes ages compared to C/C++) but works on all systems.Compression file is in work...

The type-1 tiano compression is used in some bioses, so far seen in Sony Vaio bioses.

Acer 5810tz

Feb. 6, 2012

Thanks to help from Dan living in Grand Junction, Co., I managed to enable Advanced settings on his Acer 5810tz. The patch is not yet implemented in the tools or at least it does not work yet. So hold on some days until it is released.

Sponsor wanted!

Every single day I get mails with Hewlett-Packard BIOSes attached for patching. HP bios patching is quite ugly since I have not yet found an ultimate way for patching them all with a common patch. Reason: I have no HP for analysis. Therefore I am looking for a sponsor who has a spare HP notebook not older than two years (so I have a current BIOS for analysis). Please contact me!

Please, PLEASE: do not ask for HP patches until this message changes. This will not happen before anyone sends me his or her HP notebook. I call sending it in "sponsoring" since I cannot guarantee for what is happening while playing around with the BIOS/UEFI.

InsydeH2O Bios - unhiding secrets

First of all I want to thank all the people out there doing their fine work, which helped me doing my work.First person to mention is Hector Marti­n Cantero, better known as "marcan", which had done the first step analysing the InsydeH2O bioses, which had disabled VT (Vanderpool Technology). He managed to enable VT by patching the Setup Variables inside the bios file. His python scripts were base of some modifications by some people - thanks to them even if I don't know their names - and those tools are the base of what I am introducing here.Also I want to say thanks to all the people from tianocore, who developed the EDK and EDKII, which are the basic sources of EFI bios development. To understand the whole biosstuff I was digging through their docs and sources over the last couple of days to understand that InsydeH2O bios.Also thanks to Packard Bell (or mother Acer) for selling me that Netbook DOT-S/GE/070 with that crippled Insyde-Bios. If they wouldn't have done so I still would not know a bit about bioses.All trademarks and copyright-stuff belong to their holders. This work is intended to be private, there is no commercial intent in doing this stuff. If someone feels betrayed in any kind: please contact me and I will correct or add anything or take stuff offline.I also did not link to any site - I just don't know what people say about linking to them. All things can be easily found in the internet.I do not give any guarantee for anything on this site. I tested only with ONE netbook, a packard bell DOT-S GE 070 (KAV80 bios) so don't blame me if it does not work!

What's this about?

Many people are complaining about their Insyde-Bioses not showing lots of stuff, like powersettings or the weird somewhere mentioned "adanced" settings form.So was I and searching the internet did not get me any further. I decided to have a look myself.With marcans scripts and the EDK it was possible to build a much more powerful script, which can completely rip apart an InsydeH2O biosfile, extract compressed sections and so on.The problem of the hidden forms is: they are hidden by code, not just by some hidden variable setting. The code, which is responsible for hiding those forms, resides within the SetupBrowser (EDK) or SetupUtility (Insyde). That SetupUtility is within a compressed section, guarded by some checksums, inside the bios file.Extracting that SetupUtility was quite simple, since already implemented in marcans tools.But I wanted to change that SetupUtility an re-insert it into the compressed section within the biosfile.First I had to rewrite some parts of marcans scripts, since they did not care about most of the checksums nor keeping track of positions, where the file has been torn apart. After some days I managed to extract the SetupUtility and re-insert it with no change (except for a slightly different compression) - and that bios worked! Seems useless, but this was the most important step. If I was not able to rebuilt the bios, why should I try to patch the SetupUtility?Now some days of reverse engineering (IDA Free 5.0 and studying EDK). I uploaded that SetupUtility and the IDA database with many comments and structs, so if you are interested just have a look at it.Inside the SetupUtility finally I found the function, where the setup forms are initialized (in IDA I think I called it GetAndShowForms, it is visible when you load the file). In that function I located two jumps, where it checks for special TitleIDs of the forms and skips those forms! Finally I just had to put some patching routine in my scripts to replace those TitleIDs with some non-existent TitleIDs. Done!

Files

First:Make sure your system has a bios recovery function. Some modern machines do. This will help if the bios is corrupted or flashing interrupts for some reason.On my netbook I flash like this:

Put bios-file to FAT32-USB-Stick. The file needs to have a machine-specific filename. Mine is KAV80.fd. The new version of j-bios includes detection of that name! Run it like: "python j-bios.py mybios.fd" and it should show you possible names to try!

Turn off netbook (or whatever machine)

Remove battery

Remove powercord

Press and hold <fn> and <esc>

Insert powercord (no battery!), powerlight should shortly flash once

Still holding <fn> and <esc> press and release powerbutton and then release keys

Screen stays black, but computer should do something, like searching USB stick. A stick with some reading indication is cool.

After a while the computer should wake up

TEST THESE RECOVERY STEPS WITH A WORKING BIOS! If this works you can even recover from a brick :-)

All python files need python 2.7, python 3 will not work

The fmem Linux module is not needed, except you want to extract your own bios.Mine is located at 4GB-size (1MB) so you can extract it with:dd if=/dev/fmem of=mybios bs=1M count=1 skip=4095Actually the script tries to do that (superuser needed!) if you specify an input file, which it cannot read from (e.g. not existent)fmem is compiled for 32bit Fedora16. If you cannot load it with sudo ./run.sh you need to run make to compile it for your linux platform.

To run the script:

python j-bios.py orgbios outfileLinux should also do./j-bios.py orgbios outfileRun it with no parameters to get more help about switches

Here are the files:

NEW VERSION (Aug 05, 2012)! (not tested on windows, need feedback!

New in this version:

Tiano Compression

Sony Vaio AMD Page and Intel Page patching

j-asm used for finding patching locations

Showing Recovery Name of BIOS needed for USB-Method!

Short note to the Sony Vaio patches:

Great thanks to a friend from Austria, who sent me his bricked Sony Vaio for having a look at it, making this patching possible and supporting this project with 100€!!!Hello Sony: I called your support line and asked, if it was possible to recover from a brick (since I did not know the recovery name of the BIOS)Costs: 80€ for sending it in and having a look at! Includes shipping to Sony and back home and analyses. After that they probably tell you stuff about a new motherboard. Extimated Costs: 200€. Even when I asked for the USB method: "No way. Only if you have a second BIOS chip onboard there will be a jumper for recovering the BIOS". There are many cusswords I can think of while writing this :-)Dear Sony, why do you not tell people how they can recover from their bricks? You actually should know about your own implemented BIOSes. And furthermore why do you put such a crippled BIOS in your laptops?

Howto (Example: Sony Vaio):

DO NOT FLASH ON WINDOWS!YOU CANNOT RECOVER FROM BRICK IF YOU ARE NOT FAMILIAR WITH THE USB RECOVERY!